Shane Hartman CISSP, GCIA, GREM Suncoast Security Society

Size: px

Start display at page:

Download "Shane Hartman CISSP, GCIA, GREM Suncoast Security Society"

Amberlynn Cain
10 years ago
Views:

1 Shane Hartman CISSP, GCIA, GREM Suncoast Security Society

2 Analyzing Malware Why Flash Malware Structure of an SWF File History of Flash Scripting Exploit Example 1: Social Engineering Exploit Example 2: Clipboard Hijack Exploit Example 3: Multi Step Redirection Exploit Example 4: Shell Code Exploit

Engineering Exploit Example 2: Clipboard Hijack Exploit

3 Flash player is almost everywhere Platform independent Unix/ Windows It supports an extensive coding To run on a victims browser Place banner ad Inject links to SWF files via SQL Injection or XSS Ask the user to click on link to SWF file

victims browser Place banner ad Inject links to SWF files

4 Malicious Javascript is much easier to detect Companies like: Websense Bluecoat Checkpoint FW can analyze the code before its executed. With the introduction of Action Script 3 a highly robust environment * Because it is embedded and executed client side it is much more difficult to analyze, much like Java applets.

With the introduction of Action Script 3 a highly robust environment * Because

5 Target flash player vulnerabilities Control some aspect of the victims environment ie. The victims clipboard Redirect victim to malicious sites

6 Header, version, length, frame, info, etc Additional details in the FileAttributes tab Optional in earlier versions Used to tell the Flash Player to use the newer VM for AS 3 Definition and control tags, recognized by tag type number, eg 1 : ShowFrame (displays current frame) 12: DoAction (defines ActionScript 1 or 2) 82: DoABC (defines ActionScript 3)

Definition and control tags, recognized by tag type number, eg 1 : ShowFrame (displays

7 Version 1: Basic geometry and animations only Version 2: Several animation control tags Version 3: Support for keyboard and mouse events Version 4: Full scripting implementation via actions Version 5 6: Support for ActionScript 1 Version 7 8: Support for ActionScript 2 Version 9+: Support for ActionScript 3 Different VM

scripting implementation via actions Version 5 6: Support for ActionScript 1

8 Before analyzing flash lets look at malware analysis Behavior Analysis Observe what happens when executed Capture and analyze traffic on the network Attempt to simulate and interact with the program Code Analysis Capture the program / code Decompile / analyze Break down each component and follow the road map

Attempt to simulate and interact with the program Code Analysis Capture the

9 To: Subject: What Up Check this out..

11 Swfextract Flare Dump Flash

13 Right click on the swf file and select Decompile to product a.flr text file movie c:\temp\zoxdgeysjn6.swf { // flash 6, total frames: 136, frame rate: 12 fps, 1x1, compressed // unknown tag 88 length 78 frame 15 { geturl( ); } }

swf { // flash 6, total frames: 136, frame rate: 12 fps, 1x1,

15 Clipboard persistently contains an unfamiliar URL Adding new content to the clipboard seems to have no effect

16 Swfdump abcdump Nemo 440

17 c:\temp\swfdump Ddu clipboard poc.swf > clipboard poc.swfdump.txt

18 c:\temp\abcdump clipboard poc.swf notepad clipboard poc.swf.il

20 Visitors to taringa.net saw the following banner ad. Some were redirected to a site that told them of a spyware problem So, what was going on? Much more complicated

22 Nothing suspicious when loading the SWF file in the browser Clicking on the ad shows nothing suspicious Could it be sensitive to something: Time URL Parameters, etc.

23 Decompiled swf with Flare Code doesn t reveal much Looks to be concealed

25 ActionScript View P Code View

26 There are encryptors meant to protect your code The suggestion is they will protect your intellectual work Malware authors are using these tools to make it more difficult to dissect and understand what the malicious code is trying to do

29 Open swf > Debug > List variables

31 <param name= movie value= swf/gnida.swf?campaign=weidoneous&u= />

34 A vulnerability in Flash Player 9 led to many exploits (CVE ) A problem with code that processed the scene number Allowed the execution of arbitrary code via shellcode

36 You can extract hex values from swfdump output An alturnative is to uncompress the SWF file with flashm, then extract with a hex editor

40 WOT Security Scorecard

43 Place code inside and unknown tag and jump there Place code after the end tag and jump there Jump in the middle of the code block Use and abstraction framework Use a commercial protector

44 Capture as many details from the victim or live site as possible Note HTTP headers, cookies, etc. Disassemble and analyze SWF files, retrieving new files as necessary Unprotect if you can; may be limited to behavioral analysis

45 Support ActionScript 1 & 2 only Flashm, Flare, Dump Flash Decompiler JSwiff, SWF toolkit (swf_dump) Support ActionScript 3 only abcdump, Flex SDK swfdump, Nemo 440 Supports ActionScript 1,2 & 3 SWFTools swfdump Commercial: Sothink SWF, Decompiler Trillix

46 ActionScript 3 AVM2 Overview: SWF File Format Specification: OWASP Paper on Malicious SWFs: AppSecEU08 Fukami.pdf OWASP Flash Security Project Clickjacking &articleid= &source=rss_topic17

RIA SECURITY TECHNOLOGY

RIA SECURITY TECHNOLOGY Ulysses Wang Security Researcher, Websense Hermes Li Security Researcher, Websense 2009 Websense, Inc. All rights reserved. Agenda RIA Introduction Flash Security Attack Vectors